Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp314288lqo; Thu, 16 May 2024 07:10:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXmE7n9m+TJ5mxRqfRMVrbSjioduWge9TsSJKoT66BUT4FhjB+6ONffdCHQk6zTAirHMyjyhklw17LY8mGcCTx/7OULYvY5mLFeySiL2g== X-Google-Smtp-Source: AGHT+IHZfAWitcUcYvKo2pezXix3aPlHn2AbufvXTRb6XdePAZpOEYx85OFv9pC0kI/TbaADfHqC X-Received: by 2002:a50:aac7:0:b0:56b:fd17:3522 with SMTP id 4fb4d7f45d1cf-5734d5cf8cfmr12581620a12.14.1715868649274; Thu, 16 May 2024 07:10:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715868649; cv=pass; d=google.com; s=arc-20160816; b=CiLd1dk8K2INOAor7faCCtEBQ/X1DLNbeq8pAdUeMzk51gp9dqhUWro/7lyWJg8EdQ 05ooYrKkDJL7q9Q8QhwWkxqLQwdie6XFULgniuds670ZKW/vYZj0JT2xhCNcR7eOU4gx kBF465Ca3exPudNQWW0xj+kLXwTvk07y4UhJzYcvd2Y2swnbZsSTDE/px8lDsTlQwHkg /G2L+6Ik0NWZSK/5vWdDm5v3bajzBx26Ez0qYvDIEeycoRz279ipQNfB7hUPYDCRR+LV GnT7N30O0UfpADEk6KrKhl3SpIIfa9kEvY3zbwODNDVrZVw4/YcHYQ7hpU2gggC2CMcT qEjQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=B+vHXanNosqR77yg+0PuvGZcIdU1FMsesPSXvdi9FrI=; fh=/pxreRtobrYO3keubUenmheIQyJgL7UlVGyGcuAmzfs=; b=bb5zG/l6hgACAP9xp9inqZKnEMOqSOmbQO0yiXuHBHkByD0W0xa17X4m07c/aSSmKT D7dkX/qPbekpySrVa2yrTUMGf7MgLxsGAfdcTVIXvj3FMTA38Rpmxc9ZeEp/veHCb1dD DeDQueV9BqZmsWMjpSRi22lOkQPBPDkrbbczqLGA7CtN3R5hLo/YqaCV5Yh/8IijQHGy sVhqTjDYv2N8XZ/AgEsiQEFyJ0XlL8n3yUR+0xoqp4F1qIfkrXlFyXBLthoEJ+8ormPC 8KyJO55Kw3rUwrf9U/QDdtSy8PDoZxTX6NBNPfJ9cSi80FAsNkk4YsN/PBVai/idjeCo 3I8A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=aC79Bz1Y; arc=pass (i=1 dkim=pass dkdomain=infradead.org); spf=pass (google.com: domain of linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-574d027dc3bsi4409425a12.125.2024.05.16.07.10.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 May 2024 07:10:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=aC79Bz1Y; arc=pass (i=1 dkim=pass dkdomain=infradead.org); spf=pass (google.com: domain of linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181155-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 08FFC1F2184D for ; Thu, 16 May 2024 14:10:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 011CB14D456; Thu, 16 May 2024 14:10:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="aC79Bz1Y" Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1083214A4E5; Thu, 16 May 2024 14:09:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.50.34 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715868600; cv=none; b=r7GSHkCoZZfD8R6elzOTl4HibbTAlRvG+PKPhShCvg1WSO+jNYdCGSLVzYTLRID0+jp7+c08uSfPLYCWmUomcv7mls2mcPI8kWtoecM5dfNr+g2t9lGoAiC+Vsx8F7g15yvrx4PoAXzS4fHafSu4y4xMUhCkgBQNb06/4McREPg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715868600; c=relaxed/simple; bh=NG33MsgUIuv6RqtlkvMV7YeulTRGpA4Wba/8OWH9Oj0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jltyx8w36Uc3NvV9FGHmxkLEjjfY9ieh8HRHjbt4wiUmcLkbzMsrhNSFPGEPugfirU47Pu3DGhQg3POEwemBgmkpHoSdfUFWrttVQFDrD4oNCw/cRb2Uc9Dp9SXIGhf89NWv6eegt7i3RzuuvMgAzgVLfISK30tjLhtw27djKgk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=aC79Bz1Y; arc=none smtp.client-ip=90.155.50.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=B+vHXanNosqR77yg+0PuvGZcIdU1FMsesPSXvdi9FrI=; b=aC79Bz1YkTxxAYhSjCGt8o2StR VjxBfTagIHSwM2YuKqY6VBIIwokJxrXcWyB+hNoMWX31yNn3mWCQWbzr3DlfMISGjPv5omvc1pF+H bNUoQran6PzOZzioyDuXjEQaLN2btKjMKe6aoTCcnhcuqk2/ou0DrFcAwWm95gKtDLmFfYElUOsz2 irk03/7fzlgi8sLrDcUVueg9FozjS7J2fHFc24GyngCNs6Ll8K2HmWeEn1RCNRcosq7RBmTY3QWJf 4QC+G+lubu3Fr2odxsWsbOV6Gmdv8NcZo+UvyCA/rNBCVfOTHc+81r+0w9sAF/7ybvzq9y5GI8dRX rnnDUoSw==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.97.1 #2 (Red Hat Linux)) id 1s7bns-0000000BrYV-0ziH; Thu, 16 May 2024 14:09:52 +0000 Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000) id BB3C530068B; Thu, 16 May 2024 16:09:51 +0200 (CEST) Date: Thu, 16 May 2024 16:09:51 +0200 From: Peter Zijlstra To: Kees Cook Cc: Linus Torvalds , Kees Cook , Justin Stitt , Mark Rutland , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: Re: [RFC] Mitigating unexpected arithmetic overflow Message-ID: <20240516140951.GK22557@noisy.programming.kicks-ass.net> References: <202404291502.612E0A10@keescook> <202405081144.D5FCC44A@keescook> <202405081354.B0A8194B3C@keescook> <20240515073636.GY40213@noisy.programming.kicks-ass.net> <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25882715-FE44-44C0-BB9B-57F2E7D1F0F9@kernel.org> On Thu, May 16, 2024 at 06:30:32AM -0700, Kees Cook wrote: > > > On May 15, 2024 12:36:36 AM PDT, Peter Zijlstra wrote: > >On Wed, May 08, 2024 at 04:47:25PM -0700, Linus Torvalds wrote: > >> For example, the most common case of overflow we've ever had has very > >> much been array indexing. Now, sometimes that has actually been actual > >> undefined behavior, because it's been overflow in signed variables, > >> and those are "easy" to find in the sense that you just say "no, can't > >> do that". UBSAN finds them, and that's good. > > > >We build with -fno-strict-overflow, which implies -fwrapv, which removes > >the UB from signed overflow by mandating 2s complement. > > I am a broken record. :) This is _not_ about undefined behavior. And yet you introduced CONFIG_UBSAN_SIGNED_WRAP... *UB*san, get it? > This is about finding a way to make the intent of C authors > unambiguous. That overflow wraps is well defined. It is not always > _desired_. C has no way to distinguish between the two cases. The current semantics are (and have been for years, decades at this point) that everything wraps nicely and code has been assuming this. You cannot just change this. So what you do is do a proper language extension and add a type qualifier that makes overflows trap and annotate all them cases where people do not expect overflows (so that we can put the __builtin_*_overflow() things where the sun don't shine). And pretty please, also do a qualifier modification extension, because that's totally painful already.